- ISO (International Organization of Standardization)
- NIST(National Institute of Standard & Technology)
Blog – Framework – Risk Management
- What is a Framework ?
- What are Framework components ?
- Introduction to ISO framework
- Mandatory to have an ISO-Certified Company?
- Introduction to NIST Framework
- One truly needs ISO or NIST Frameworks to Run a Business ?
- Difference between ISO & NIST Standard
- Popular ISO & NIST standards ( ISO-9001,iso-27000,iso- 31000, NIST CSF,NIST 800-53 & 37)
- Comparative Analysis ( ISO 27005 , ISO 31000 , NIST 800-37)
Framework in Risk Management is..
A risk management framework is a set of references and tools that decision-makers rely on to make decisions about how to manage risk. It could include, for example, policies, strategies, plans, processes and models, and statements of your organization’s position on risk.
What you have in your framework depends on two things:
- The risks, threats and challenges in your internal and external context .
- Risk maturity of your environment.
RISK IDENTIFICATION:
Organizations must create an extensive list of all possible threats to their systems and data, regardless of where those threats originate.
RISK ASSESSMENT:
For each risk identified by the process mentioned above, organizations will need to create a detailed risk profile, and assign a score to each risk based on their potential impact.
RISK MITIGATION:
Once a thorough risk assessment has been carried out, organizations will need to establish a plan for mitigating these risks.
REPORTING AND MONITORING:
Organizations must periodically review their risk identification, assessment, and mitigation strategies to ensure that they are effective
RISK GOVERNANCE:
Implement all of the risk management steps defined above.
Introduction to ISO
ISO stands for International Organization of Standardization, is a non-governmental organization established in 1946 that comprises standards bodies from more than 160 countries. The ISO is an international body responsible for creating, setting, and promoting standards. To date it has published more than 22,600 standards and related documents that apply to all kinds of industries, such as Quality Mgmt. , Health & Safety Mgmt. , Risk Management , Information Security Mgmt.
The International Organization for Standardization has a six-stage process for developing standards. The stages include the following:
- Proposal Stage
- Preparatory Stage
- Committee stage
- Enquiry stage
- Approval stage.
- Publication stage
Introduction to NIST
NIST is the abbreviated name of the National Institute of Standards and Technology. It’s one of many federal agencies under the U.S. Department of Commerce. The NIST Cybersecurity Framework published in 2014 helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary. It gives your business an outline of best practices to help you decide where to focus your time and money for cybersecurity protection.
The RMF (Risk Management Framework) is mandated for any Federal Government organization and is hardly used in the private sector. In contrast, the CSF is voluntary and is aimed towards private sector use, especially in critical infrastructure industries
There are 5 pillars of NIST Framework .
ONE TRULY NEEDS ISO (OR) NIST FRAMEWORKS, TO RUN A BUSINESS ?
Adopting a risk management framework has the potential to help businesses mitigate future risks without hindering growth. A strong risk management framework can offer organizations a number of key benefits:-
- Protection of assets
- Reputation management
- Protection against losses of competitive advantage
- Legal risks
- Business opportunities.
Remember, an effective risk management framework should be more than a set of standards and rules. It should have the ability to deliver actionable results that make a real difference in how your business and workforce perform in the long-term.
This blog on Risk Management Framework is the sets of Standards ISO or NIST which should followed to protect your information and security environment with respect to Cyber Security Blogger @87sTechiesMania
Yes today needs security implementations.